3000-0052 

Description 

Method of Storing Data in a Random Acce s s Memory, and an Encryption and Decryption 
Peviee METHOD OF STORING DATA IN A RANDOM ACCESS MEMORY AND 
ENCRYPTION AND DECRYPTION DEVICE 

PRIORITY INFORMATION 

This application claims priority from International application PCT/EP2004/012435, filed 
November 3, 2004 and German application 103 52 401.0, filed November 10, 2003. 

BACKGROUND OF THE INVENTION 

This invention relates in general to data security and in particular to a m e thod of storing 
data in a random access memor y, and to an encryption and d e cryption d e vic e. 

In ord e r t To ensure data security or to protect copyrights with respect to data stored in 
memory , a known approach is to store the data in encrypted form in a read-only memory (ROM), 
such as, for example, an EPROM, EEPROM, CD-ROM, or_DVD-ROM^ete. These data may 
relate to both data from executable programs (program codes) as well as video or audio data. An 
approach is also known whereby video data or audio data are transmitted in encrypted form from 
a transmitting device to a receiving device. 

The obj e ctive is that th e use of the encryption-stored or encryption-transmitted data is 

thereby theoretically enabled only for those users who have a corresponding decryption unit 
(decoder) with a "matching" key. 

Conventional encryption algorithms, such as, for example, the DES method ( DES ~ Data 
Encryption Standard) or the AES method (AES — = — Advanced Encryption Standard) 
encrypt/encode the data blockwise, wherein with the DES method, for example^ 64 data bits are 
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encoded in one block. Since in the PES i bis-method the number of data bits contained in a data 
block is usually greater thant the number of data bits of a data word capable of being processed 
proc e ssable by a processing unit, it is necessary to have the processing unit first store the data 
words obtained after decoding a data block in a random access memory (RAM) before these data 
words undergo further processing. 

These RAMs located externally to the processing unit represents a security risk insofar as 
there is a possibility that the encrypted data can be tapped along the link between the RAM and 
the processing unit. These data, for , example video or audio data, can then be stored in 
unencrypted form, thereby making them accessible to unauthorized use. 

If the data stored in the RAM are happ e n to b e the data of a program code, then there is 
the risk that the program flow may be determined by unauthorized persons. In addition, there is 
the risk that unauthorized program code may be fed into the unit executing the program in ord e r , 
for example, to provide additional functions which ar e not intended suppos e d to be provided by 
the authorized program code. 

What is needed is Th e goal of this inv e ntion is to provid e a relatively secure technique 
m e thod of storing data in a RAM which does not have the aforementioned disadvantages and is 
implementable at relatively low cost, as well as a device to encryp t and /decrypt the data stored 
in a RAM. 

SUMMARY OF THE INVENTION 

Th e s e goals ar e achi e v e d by a m e thod according to Claim 1 and by a d e vic e according to Claim 
12. Advantag e ous e mbodiments of th e inv e ntion ar e d e scrib e d in th e subordinat e claims. 

Briefly, In th e m e thod according to an aspect of the invention^ a method for storing data 
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in a random access memory (RAM) in which data words are storable with a predetermined 
number of data bits, involves an encryption of each data word is e ffected before storag e in the 
RAM, whereby a permutated data word with a predetermined number of data bits is generated 
from each data word T or from a data word derived there from, this data word, b y a_one-to-one 
rearrangement/ or permutation of the individual data bits using a first permutation key. 

An advantag e ous asp e ct of this m e thod is that t The individual data bits of the permutated 
data word are substituted using a first substitution key before the-storage, wherein the data word 
encrypted by permutation and subsequent substitution is stored in the RAM m e mory . In this 
conn e ction, t There is also the possibility of substituting the data bits of the data word to be 
encrypted before the permutation using a first substitution key, and of storing the data word 
obtained from the substitution and subsequent permutation as the encrypted data word. 

The encryption of the individual data words is preferably performed e ff e ct e d in the same 
chip in which the processing unit that p rocessesing the data words is integrated. The data words 
transferred externally from this chip to the RAM m e mory for storage are provided in encrypted 
form in this m e thod , and are thus protected against interference effects or unauthorized tapping 
of the data. In this m e thod, t The encryption is performed eff e ct e d data word by data word, with 
the result that, unlike the case of blockwise encryption, no additional storage on the chip is 
required for the-encryption or a-decryption. 

The permutation or rearrangement of the individual data bits as determined by the 
permutation key represents an effective encryption method. Given a data word width of 32 bits^ 
width, there are 32!~2. 7 6*10 different permutation possibilities. This number of permutation 
possibilities for a data word of 32 bit widthlength increases by a factor of 2 32 when in addition to 
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the permutation a substitution of the input data word, or of the already permutated data word, is 
performed eff e ct e d using a substitution key of 32 bit wkfthJength. 

The substitution of a data word to b e substitut e d is performed e ff e ct e d as determined by 
the substitution key, for example,, by assigning a key bit of the substitution key to each data bit of 
the data word, wherein the respective data bit is mapped, in unchanged or inverted form as a 
function of the value of the assigned substitution key bit, to the data word resulting from the 
substitution. 

In one embodiment, the permutation key comprises a number of unique subkeys 
corresponding to the number of the data bits of the data word to be permutated, these keys each 
being assigned to a data bit of the data word resulting from the permutation. The individual 
subkeys indicate which of the data bits of the data word to be permutated is to be mapped to the 
respective data bit to which the subkey is assigned. 

Each subkey of the permutation key here-comprises a number of key bits, wherein 
preferably provision is made to implement incrementally the mapping of a data bit of the data 
word to be permutated to a data bit of the permutated data word using a subkey according to the 
following steps: 

a) selecting a first group of data bits from the data bits of the permutated data word as 
determined by a first key bit of the subkey; 

b) selecting a second group of data bits from the first group of data bits obtained by the 
previous selection as determined by a second key bit of the subkey; and 

c) repeating step b), each time using an additional key bit in ord e r to select from the 
group obtained by the previous selection an additional group until the selected group comprises 
only one more data bit which corresponds to the data bit of the permutated data word. 
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This type of incremental selection procedure to map a data bit of the data word to be 
permutated to a data bit of the permutated data word provides the advantage that no storage 
elements are required for te-implement ation4 t. 

The permutation key, and possibly the substitution key, are regenerated before a new 
writing to the RAM memory , for example, after connection to a device containing the RAM 
m e mory . 

The substitution key, which comprises a number of substitution key bits T corresponding 
to the number of data bits A may be is-generated h e r e by picking out a corresponding number of 
bits from a sequence supplied by a random number generator. 

When generating the permutation key, car e must be taken that the individual subkeys 
preferably differ so as to ensure a one-to-one assignment of a data bit of the data word to be 
permutated to a data bit of the permutated data word. In order t To generate the individual sub- 
permutation-keys which are each assigned to a bit position of the permutated data word, and 
which together yield the permutation key, provision is made to generate a sub-permutation-key 
consecutively for each bit position of the permutated data word, and thereby to check whether 
the generated sub-permutation-key has already been generated for another bit position. If this 
sub-permutation-key has already been generated, it is rejected and a new sub-permutation-key is 
randomly generated for the given bit position. If the randomly generated sub-permutation-key 
does not yet exist, then this key is retained for the given bit position. This procedure repeats until 
forte-each bit position of the permutated data word one sub-permutation-key has been assigned 
for the selection of a data bit of the data word to be permutated. 

The decryption of the data words stored in the RAM is effected analogously to the 
encryption procedure. If in a two-step procedure comprising permutation and substitution the 
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data word to be encrypted is first permutated and then substituted, then during decryption the 
encrypted data word is first "back"-substituted using a second substitution key to undo the 
substitution effected during encryption, and subsequently "back"-permutated using a second 
permutation key in ord e r to undo the permutation effected during the encryption. 

If during encryption of the data word first a substitution and then a permutation are 
performed e ff e ct e d , then during decryption the encrypted data word is first permutated using the 
second permutation key, then substituted in ord e r to recover the original data word. 

Depending on the type of substitution used, the first substitution key can be selected in 
identical form to the second substitution key, for example, whenever the substitution comprises 
the consists in mapping of the individual data bits unchanged or inverted as determined by the 
key bits of the substitution key. 

Th e following e mploys embodim e nts to e xplain th e invention in more d e tail bas e d on th e 

figur e s. 

These and other objects, features and advantages of the present invention will become 
more apparent in light of the following detailed description of preferred embodiments thereof, as 
illustrated in the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG.igure 1 is a block diagram illustration of shows an arrang e m e nt comprising an 
encryption and decryption unit arrang e m e nt which encrypts the data to be stored in a RAM 
random acc e ss m e mory and which decrypts the data read out from the RAMrandom access 
memory^ 
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FIGigure 2 is a block diagram illustration shows an e mbodiment of the a n-encryption and 
decryption unit of FIG. 1 ; arrang e m e nt comprising an e ncryption unit, a d e cryption unit, a k e y 
gen e rator, and a random numb e r g e n e rator. 

FIGigure 3 is a block diagram illustration shows an e mbodim e nt of the an-encryption 
unit of FIG. 2; arrang e ment which comprises a permutation unit and a substitution unit. 

FIG.tgure 4 is a block diagram illustration sch e matically illustrates the s tructur e of the a 
permutation unit of FIG. 3; which compris e s s e l e ction units. 

FIG.iguFe 5 is a block diagram illustration shows an e mbodiment of one of the a-selection 
units of the permutation unit of FIG. 4; which compris e s multipl e s e l e ction stag e s with s e l e ction 
switch e s. 

FIG.jgure 6 illustrates the functional principle of the a -selection unit of FIG. 5 for a data 
word of 8 bit widths 

FIG.igUFe 7 is a block diagram illustration s hows th e circuit logic - impl e m e nt e d 
e mbodim e nt of one of the selection switches of the selection unit of shown in FIG.tgure 5;t 

FIGigwe 8 is a block diagram illustration sch e matically illustrat e s an e mbodim e nt of the 
substitution unit of shown in FIG. igur e 3; 7 th e substitution unit comprising multipl e substitution 
e l e m e nts. 

FIG.jgure 9 is a block diagram illustration illustrates a possibl e e mbodim e nt of one of the 
substitution elements of the substitution unit of FIG. 8: shown in Figur e 8. 

FIG.jgure 10 illustrates the construction of the permutation key from subkeys and key 
bits, and the construction of the substitution key;7 
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FIGigttfe 11 is a block diagram illustration illustrat e s th e complete structur e o f a 
permutation unit of FIG. 2 for use in encrypting a an e ncryption unit as indicat e d in Figure 2 for 
data words of 4- four b itsiT 

FIGigure 12 is a block diagram illustration of shows the p e rmutation unit corr e sponding 
te-tfee-a_permutation unit of shown in FIG. igur e 244 for use in decrypting a data word of four 
bits a d e cryption unit as indicat e d in Figure 2; T and 

FIG.jgure 13 is a block diagram illustration sch e matically illustrat e s th e structur e of an 
internal memory^ provided in the key generator^ that t e-stores a first permutation key for the 
encryption of FIG. 11 and a second permutation key for the decryption of FIG. 12 . 

DETAILED DESCRIPTION OF THE INVENTION 

Unless otherwise indicated, like id e ntical reference numerals designate corresponding 
components and signals throughout the different views, notations in th e figur e s d e not e 
compon e nts and signals of id e ntical m e aning. 

FIG . igur e 1 illustrates shows a random access memory (RAM) 20 which is d e sign e d to 
stores data words of n-bit l e ngth width . The RAM M e mory 20 has an input 21 to read in data 
words to be stored, and an output 22 to read out stored data words. Not illustrated shown in 
FIG.igure 1 are the well-known required control wires through which the memory addresses are 
communicated to the RAM 20memory, at which addresses the individual data words are to be 
stored or from which addresses the individual data words are to be read out. 

Processing of the data words read into _ m e mory 20, or r e ad out of the RAM 20 this 
m e mory, is performed e ff e cted in a data processing unit 30, for example, a processor. Depending 
on the type of theis processor 30, the data words stored in the RAM m e mory 20 are, for example, 
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data words of a program code which is executed by the processor 30, or data words of video or 
audio data which are moved by the p rocessor 30 through suitable output units for playback, m 
order to b e p e rc e iv e d. 

The Q data processing unit 30 and the RAM m e mory 20 are not integrated on a common 
chip or integrated circuit C'IC\ as indicated in FIGigufe 1 by the broken line between the data 
processing unit 30 and the RAM m e mory 20. In ord e r t To prevent any "wiretapping" of or 
interference with data communication between the data processing unit 30 and the RAM 
m e mory 20, an encryption and decryption unit 10 is provided between the data processing unit 
30 and the RAM m e mory 20 on the same chip on which the data processing unit 30 is located. 
The encryption/decryption unit This d e vic e 10 encrypts data words M outputted by the data 
processing unit 30 so as to provide encrypted data words M' which are stored word-by- word in 
the RAM m e mory 20. In the reverse direction, the encryption/decryption unit d e vic e 10 decrypts 
the data words M' stored in encrypted form in the RAM memory 20 in ord e r to recreate the 
original data words M processed processabl e b y the data processing unit 30. In FIGiguFe 1 and 
subsequently, M denotes an arbitrary unencrypted data word of width i ength-n, while M' denotes 
an arbitrary encrypted data word of width i ength-n generated by encrypting a data word M. 

FIG.jgure 2 schematically illustrates the structure of the t his-encryption and decryption 
unit d eviee-10 in more detail . The unit 10 d e vice shown comprises an encryption unit 1 1 which 
has an input 110 of n-bit width to receive suppH^an unencrypted data word M, and an output 1 1 1 
that provides to output an encrypted data word M'. Encryption of the data word M is performed 
e ff e cted as determined by a first key C which is provided by a key generator 13. To For th e 
purpose of supplying this first key C, a binary random sequence RS is fed by a binary random 
number generator 12 to the key generator 13. 
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The encryption/decryption unit D eviee-10 further comprises a decryption an encryption 
unit 11' with an input 110' to supply an encrypted data word M' of n-bit width, and an output 
1 1 T to supply the decrypted data word M generated from the encrypted data word M\ The 
decryption is performed effected as determined by a second key C which is matched to the first 
key C and which is also provided by the key generator 13. 

The encryption d e cryption u nit 1 1 maps the data word M using the first key C uniquely to 
the encrypted data word M', wherein: 



where E stands for the encryption function implemented by the encryption unit 11. 
Analogously: 



where D stands for the decryption function implemented by the decryption unit 1 1 
FIG.jgure 3 sch e matically illustrates in more detail an embodiment of the encryption unit 
11 of FIG. 2 which in the example comprises a permutation unit 14 and a substitution unit 15. 
The P permutation unit 14 has inputs to receive supply the individual data bits M[n-1]...M[0] of 
the data word M, and has outputs to supply data bits Mp[n-1], Mp[k], Mp[0] of a permutated 
data word Mp. The individual data bits Mp[n-l]...Mp[0] of the permutated data word Mp result 
from the data bits M[n-1]...M[0] of the data word M by permutatio n or / rearrangement as 
determined by a permutation key P. The permutation may be performed hero is eff e ct e d on a 
one-to-one basis, that is, one data bit each of the unencrypted data word M is mapped to one data 
bit of the permutated data word Mp. 

In the example, the data bits Mp[n-l]...Mp[0] of the p ermutated data word Mp are then 
substituted by a substitution unit 15 as determined by a substitution key S, wherein the 



M' = E(M,C) 



Ok 



M = D(M',C) 
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substitution unit 15 provides the data bits of the encrypted data word M'. As determined by the 
substitution key S, one data bit each of the p ermutated data word Mp is mapped by the 
substitution unit 15 to one data bit M f [n-1]...M'[0] of the encrypted data word M'. 

The following explains the structure and the functional principle of the permutation unit 
14 with respect to bas e d on FIG igur es . 4-7. 5 through 7. Also, N e xt, the structure and functional 
principle of the substitution unit 15 is will b e explained with respect to FIGs. 8-9. b as e d on 
Figur e s 8 and 9. 

With reference to FIG.igufe 4, the p ermutation unit 14 has a number of selection units 
14_n-1...14_0 corresponding to the number of data bits of the data word M to be encrypted. 
wh e r e in a All of the data bits M[n-1]...M[0] of the data word M to be encrypted M-are supplied to 
each of these selection units^ and wh e rein t The individual selection units 14_n-1...14J) each 
provide a data bit Mp[n-l]...Mp[0] of the permutated data word Mp. Mapping of one of the data 
bits of the u nencrypted data word M to one of the data bits of the p ermutated data word Mp is 
performed eff e cted in the selection units 14_n-1...14_0 as determined by sub-permutation-keys 
P[n-1], P[k], P[0]. Each of these sub-permutation-keys differ in ord e r to map each of the data bits 
of the input data word M exactly once to a data bit of the p ermutated data word Mp. The sub- 
permutation-keys together produce the permutation keyP, where 
P = (P[n-l], ...P[0]). 

The individual selection units 14_n-1...14_0 are structured identically, the structure of a 
random one of these selection units, for example, the here-selection unit 14_k, being-explained 
below with respect to b as e d on FIG.jgure 5. 
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Theis selection unit 14_k (FIG. 4) p rovides the data bit Mp[k] from the data bits M[n- 

1]...M[0] of the data word M as determined by the sub-permutation-key P[k] a 7 which This sub - 
p e rmutation k e y comprises m key bits P[k,m-l]...P[k,0]. 

Referring to FIG. 5, the ^ selection unit 14_k comprises multiple selection stages 141_0...141_m- 
1. All of the data bits of the input data word M are supplied to a first selection stage 141 J). As 
determined by a first key bit P[k,0] of the sub-permutation-key P[k], theis first selection stage 
1410 selects a first group of data bits which are supplied to a second selection stage 141_1. As 
determined by a second key bit P[k,l], the second selection stage 141_1 generates from this first 
group of data bits a second group of data bits which is supplied to the third selection unit 141_2. 

In the example illustrated in FIG. 5, shown, reduction of the data bits present in the 
respective groups is performed e ff e ct e d from selection stage to selection stage by a factor of 2, 
such that after m = log2(n) selection stages only one data bit is left which corresponds to data bit 
Mp[k] of the permutated data word Mp. In this example in which n = 32 = 2 5 , there are thus m = 
5 selection stages. 

Also, il n the example of FIG. 5 , each of the selection stages comprises a number of 
selection switches 142, to which two data bits each of a data group are supplied, and which, as 
determined by a permutation key bit, select one of the two data bits and pass it on to the next 
selection stage. 

The supply of the individual data bits to the selection switches of each of the giv e n 

selection stages is performed e ff e ct e d such that two data bits each are supplied to a selection 
switch, which data bits have successive bit positions in relation to the group from which the 
given-selection stage has made a selection. In the example of FIGigure 5, the respective higher- 
order bit is supplied to a first input INI of the selection switch 142 , while the respective lower- 
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order bit is supplied to a second input IN2; of the given-selection switch 142. In the example 
shown, for g iv e n a key bit "1", the bit applied at the input IN1 _, that is, the higher ord e r bit, is 
passed to output OUTl 7 and thus-to the next selection stage. 

The functional principle of the selection stage illustrated shown in FIGigefe 5 is 
explained below based on an 8-bit-wide data word M with respect to i n-FIG.igure 6. From these 
eight 8-data bits M[7]...M[0], one bit is selected to generate the data bit Mp[k] of the permutated 
data word. The first key bit P[k,0] of the subkev P[k] has a value of 1 so that out of two data bits 
that are consecutive in terms of significance the higher-order data bit o ne-is selected, thus 
yielding a first group with data bits M[7], M[5], M[3], and M[1J. Out of each two consecutive 
data bits , in terms of their significance; data bits, that is, (i.e, data bits M[7], M[5] and M[3], 
M[l]), one data bit each is selected as determined by the second key bit P[k,l]. In the example, 
this key bit is "0", so that in each case the lower-order one of the two data bits is selected, that is, 
data bits M[5], M[l]. Out of this resulting additional group of data bits, one data bit is selected , 
in this case the higher-order on e or data bit M[5], is s e l e ct e d as determined by the third key bit 
P[k,2] in ord e r to generate the data bit Mp[k] of the permutated data word. 

If on e arrang e s the data bits in each of the selection groups are arranged as a function of 
their significance, and out of two adjacent ones in terms of their significance given a key bit "1" 
on e s e l e cts the higher-order data bit is selected , and given a key bit "0" on e selects the lower- 
order one of these two data bits is selected , then the value of the bit position of the selected data 
bit, in this case of data bit M[5], corresponds to the decimal equivalent of the subkev P[k], as 
explained below^ 

If the on e vi e ws subkev P[k] is viewed as a binary numerical sequence, the most 
significant bit (MSB) of which is generated by the key bit P[k,m-1] of the last selection stage, 
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and the least significant bit (LSB) of which is generated by key bit P[k,0] of the first selection 
stage, then the decimal equivalent of this binary sequence, in this case 101 2 = 5 10, corresponds to 
the bit position of the data bit M[5] selected from the data word M. 

A circuit-logic implementation of one embodiment of one of the selection switches 142 is 
illustrated shown in FIG.igure 7. In ord e r tT o implement the described selection function, the 
selection switch 142 comprises two AND gates, AND1, AND2, the outputs of which are 
supplied to an OR gate* OR1, wherein the output of this OR gate forms the output OUT1 of the 
selection switch 142 , One each of the inputs INI, IN2 to supply the data bits is supplied to one of 
the AND gates,, AND1, AND2. The other input of the AND gate AND1 is coupled to the third 
input IN3 to supply a key bit, wherein this key bit is supplied in inverted form through an 
inverter INV1 to the other input of the AND gate AND2. When a logical "1" is applied at the 
third input IN3, the data bit applied at the first input INI is passed through the first AND gate bit 
AND1 and the OR gate OR1 to the output OUT1. Given a logical "0" at the third input IN3, the 
data bit at the second input IN2 is accordingly passed through the second AND gate AND2 and 
the OR gate OR1 to the_output OUT1 . 

With reference to FIG.igure 8, the substitution unit 15 comprises a number of substitution 
elements 15_n-1...15_0 corresponding to the number of data bits^ eOne data bit of the data word 
to be substituted is bein^-supplied to each of the substitution elements; in the example of 
FIG.ifUfe 3, that of the permutated data word Mp. The substitution key S, on the basis of which 
the substitution is e ff e ct e d performed , comprises n key bits S[n-l]...S[0], wherein one of these 
key bits S[n-l]...S[0] is supplied to each of the substitution elements. The S substitution elements 
15_n-l.„15_0 are designed, as determined by the respective substitution key bit S[n-l]...S[0], to 
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output in unchanged or inverted form the data bit Mp[n-l]...Mp[0] supplied to the respective 
substitution element 15_n-1...15_0. 

A circuit-logic implementation of an embodiment of theis substitution element 15 is 
illustrated shown in FIGigure 9. The substitution element 15Jc comprises a-first and second 
AND gates AND3, AND4, and an OR gate OR2 connected following the AND gates AND3, 
AND4^ at-tThe output of the whieh-OR gate OR2 provides the substituted data bit is provid e d . 
The substituted data bit is supplied to the substitution element through a first input IN4, and this 
data bit is supplied in inverted form by a first inverter INV2 to the first AND gate AND3, and in 
unchanged form to the second AND gate AND4. The respective substitution key applied at a 
second input INS of the substitution element is supplied to the first AND g ate AND3 in 
unchanged form, and to the second AND gate AND4 in inverted form by a second inverter 
INV3. This arrangement ensures that given a substitution key bit "1" the data bit applied at the 
first input IN4 is provided in inverted form, and given a substitution key bit "0" this data bit is 
provided in unchanged form at the o utput OUT2. 

In the embodiment of FIG.igure 3, the encrypted data word M' is generated from the 
unencrypted data word M by permutation and subsequent substitution of the data word Mp 
resulting from the permutation. It is of course und e rstood that it is also possible first to substitute 
the data word M using the substitution key SM, and then to permutate the resulting substituted 
data word using the permutation key P in ord e r to arrive at the encrypted data word M\ 

The determining factor for the efficacy of an encryption system is the number of different 
possible keys. In the example described, the key C to encrypt the data word M is composed of 
the permutation key P and the_substitution key S. The P permutation key P comprises a number of 
subkeys corresponding to the number of data bits, the widthl ength of the subkeys being defined 
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by m=log2(n). With reference to FIG.iguFe 10, the permutation key P_can be viewed as a vector 
with n subkeys P[n-l]...P[0], or as an n x m matrix of individual subkey bits P[n-l,m-l]...P[0,0]. 
For data words of widthiength n=32, the permutation key P_comprises 32 different subkeys P[n- 
1]...P[0], thereby resulting in 32! different key combinations. Given that for the substitution key 
S there are 2 n available possibilities, then for the number N possible keys C for data words to be 
encrypted of width k*refe-n=32 the result is: N = (32!>2 32 . 

The S substitution key S for encryption and decryption can e asily b e generated as part of a 
binary random sequence. 

A method of generating the permutation key P_is explained below for a data word of 
width length n=4 bit based on F IGs. jgures 11-13. 11 through 13. 

FIG.igure 11 illustrates first shows a first permutation unit 14 that t e-generates the 
permutated data word Mp from the data word M with n=4 selection units 14 3, 14 2, 141, 14 0 
which are each of two-stage form (m=log 2 4^2). 

FIGigure 12 illustrates shows-a second permutation unit 14' corresponding to the 
permutation unit 14 of FIGigure 1 1 which functions to undo the permutation effected by the first 
permutation unit 14 as it decrypts the data word in the decryption unit 11 ( 11 in FIG. igur e 3). 
Theis second permutation unit 14 ? is identical to the first permutation unit 14 in structure and 
comprises four selection units 14'_3, 14'_2, 14'_1, and 14'_0. Each of these selection units 14 f _3 
... 14'_0 functions to map one of the data bits Mp[3]...Mp[0] of the permutated data word Mp 
back to one of the data bits M[3]...M[0] of the original data word M. This selection of one of the 
data bits in the individual selection units 14 , _3...14 f _0 is performed e ff e ct e d in each case as 
determined by the subkeys P'[3]... P'[0] of a second permutation key P\ T wherein i ln the example 
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illustrated, s hewn-P' =(P'[3], F[2], P'[l], P'[0]), where the individual subkeys F[3]...P'[0] each 
comprisesiftg two subkey bits P'[3,1]...P'[0,0]. 

The generation of the subkeys P[3]... P[0] of the first permutation key P and of the 
associated subkeys P'[3]...P'[0] of the second permutation key P' is explained belew^-based on 
FIGigure 13. 

To generate the first and second permutation keys P, P' 3 the key generator 13 ( 13 in 
FIGigBFe 2) comprises a first and second key memory 131, 131% as well as an assignment 
register* 132. The R kev memories 131, 131' are-each de s ign e d to store n subkeys of key width 
m=log2(n). Given n=4, four subkeys of widthlength 2 are storable in each of the key memo riesy 
13K 13T . Assignment of the subkeys stored in the first key memory 131 to the selection units 
14_3...14_0, and thus to the individual data bits of the permutated data word Mp, is performed 
effected through the address of the key memory 131 which is addressable line-by-line and which 
in the example comprises n=4 lines. The memory address of a subkey in theis first key m emory 
131 corresponds h e r e to the bit position of the data bit of the permutated data word to which the 
respective key is assigned. A subkey P[k] at the memory address k of the key memory 131 is 
thus assigned to the k th data bit Mp[k] of the p ermutated data word Mp, where k represents one 
of the possible line addresses 0...n-l of the memory. 

Assignment of subkeys P'[3]...P f [0] of the second subkey P' to the selection units 14 f _3 ... 
14'_0 or to the data bits M[3]...M[0] of the original data word is performed e ff e ct e d 
analogously. That is, the subkey P'[k] stored at the memory position k of the second key memory 
13 T is assigned to the selection unit 14 f _k and determines which of the data bits of the 
permutated data word Mp is to be mapped to the data bit M[k] at the k* position of the data word 
M. 
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Generation of the subkeys P[3]...P[0] of the first permutation key and of the second 
subkeys P'[3]...P'[0] is performed e ff e ct e d in a mutually matched fashion by a procedure which i s 
explained below. 

The subkeys of th^first permutation key P are generated consecutively as random binary 
sequences of width length m=2 using the function generator 12 illustrated shewn-in FIG.iguFe 2. 
As explained, the individual subkeys mus^differ from one another in ord e r to obtain a one-to-one 
assignment of the data bits of the data word M to be permutated M-to the data bits of the 
permutated data word Mp. In the example described based on FIGsigwes 1 1 and 12, there are 
n=4 different subkeys which can be assigned randomly to the four selection units. 

One memory position of the assignment register 132 is assigned to each of the possible 
different subkeys, in this case, "11", "10", "01", "00". ? wh e r e in aA predetermined value is 
entered in the assignment register 132 at the respective position if the assigned subkey has 
already been generated at a memory position of the memory 131, and thus for one of selection 
units 14_3...14_0, so as to avoid again-generating the same key at a different memory address, 
and thus for another selection unit 14_3...14_0. 

In the example, the assignment of a certain one of the possible subkeys to a memory 
address of the assignment register 132 is performed e ff e ct e d by directly mapping the value 
represented by the subkey to the address of the memory position of the mapping memory 
assignment register 132, For example, the memory position 102=2 of the assignment register 
m e mory 132 is thus assigned to a subkey "10". If P[k]=w n _i ... w 0 applies for a subkey, then for 
the address assigned to this subkey: 



| * This is later called "assignm e nt m e mory 132 and, in th e list of r e f e r e nc e numb e rs, "selection r e gister," Translator. 
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i=n-\ 
i=0 

In ord e r t To generate the permutation key, the respective subkeys are randomly generated 
consecutively for the individual memory addresses of the first permutation key memory 131, 
wherein after generation of a given subkey a determination is made based on examination of the 
assignment register whether such a subkey has already been generated. If such a subkey has 
already been generated, the subkey is rejected and a new subkey is randomly generated. This 
procedure is repeated until subkeys have been generated for all the memory positions, and thus 
for all the selection units of the p ermutation unit 14. 

When one of the possible subkeys is generated for the first time, a certain value, for 
example a "1," is entered at the memory address, assigned to this key, of the assignment register 
m e mory 132. If this subkey is randomly generated once again for another memory position of the 
memory 131, this is detected in the assignment register m e mory 132 based on the value entered, 
and the subkey is rejected for this different memory position. 

As explained above, the binary value of a subkey P[3]...P[0] which is assigned to a 
selection unit 14_3...14_0 or to a data bit Mp[3]...Mp[0] of the permutated data word Mp 
corresponds to the data position of the data bit M[3]...M[0] of the input word M selected by the 
respective selection unit. Accordingly, the subkeys P ? [n-l]...P'[0] of the second permutation key 
P f each indicate which of the data bits of the permutated data word Mp is to be mapped to the 
data bit M[3]...M[0] to which the respective subkey is assigned. 
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If the general condition applies that a subkey P[k] assigned to the k th data bit Mp[k] of the 
permutated data word Mp maps the X th data bit M[i] of the permutated data word to this data bit 
of the p ermutated data word Mp, then, conversely, the subkey P f [i] assigned to the i th data bit 
must map the k th data bit of the permutated data word Mp to this data bit. 

The S second key memory 13T is organized analogously to the first key memory 13L T 
tThat is, the addresses at which the individual subkeys P'[n-l]...P'[0] are stored correspond to the 
bit positions of the data bits M[n-1]...M[0] to which the individual subkeys are assigned. 

In ord e r t To generate a matching subkey of the_second permutation key P ? for a randomly 
generated subkey P[k] of the first permutation key P, which subkey is assigned to the k th data bit 
of the p ermutated data word Mp, the address value k of the first subkey P[k] is entered at the 
address in the second key memory 131', the value of which corresponds to the binary value i * 
represented by the first key^ that is. In oth e r words, for P[k]=i, P'[i]=k. 

Generation of the first and second permutation keys can be performed d o scrib e d by the 
following routine algorithm : 
Line 1 : FOR k = (n-1) DOWNTO 0 

Line 2: Fetch random number from generator and compute i 
Line 3: Check if MapReg (i) = 1, if true, go to Line 2 
Line 4: Set MapReg(i) = 1 
Line 5: Set o_store(k) = i 
Line 6: Set i_store(i) = k 
Line 74: NEXT k. 
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MapReg(i) here represents the value at address k of the assignment registe r 132 . The 
expression o_store(k) represents the value at address k of the first memor y 131 , while i_store(i) 
represents the value at address i of the_second memory 131'. 

As explained above, the permutation performed e ffectcd during encryption and 
analogously during decryption is augmented by a substitution as determined by a substitution 
key. This substitution can be e ffect e d performed either before the permutation or after the 
permutation, the procedure being eff e ct e d performed in the reverse order during the decryption. 
If during encryption the substitution is e ff e ct e d performed after the permutation, then during 
decryption the re-substitution is eff e ct e d p erformed b efore the permutation. During the above- 
described substitution in which, as determined by the substitution key bits, the respective 
assigned data bit is passed on either inverted or unchanged, the same substitution key used 
during decryption is used during encryption. 

Although the present invention has been illustrated and described with respect to several 
preferred embodiments thereof various changes, omissions and additions to the form and detail 
thereof, may be made therein, without departing from the spirit and scope of the invention. 

What is claimed is: 
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List of r e f e r e nc e notations 



AND1 AND 4 AND gat e 

key 

INI INS inputs 

INV1,INV2 inverter 

M data word 

M[n 1]...M[0] data bits 

M ! [n - 1]...M'[0] data bits of an e ncrypt e d data word 

Mp[n l]...Mp[0] data bits of a p e rmutat e d data word 

ORl,OR2 OR gate 

OUTl,OUT2 outputs 

P p e rmutation k e y 

P[n 1]...F[0] subk e y of a p e rmutation k e y 

S substitution k e y tes 2 

4-0 e ncryption and d e cryption unit 

44 e ncryption unit 

44 J d e cryption unit 

43 k e y g e n e rator 

44 p e rmutation unit 

1 4 _n - L..1 4 _0 s e l e ction unit 

4-S substitution unit 

15_n L..15_0 substitution units 

30 random acc e ss m e mory, RAM 

30 random numb e r g e n e rator 

34 input of the RAM 

33 output of the RAM 

50 data proc e s s ing unit 

440 input of th e e ncryption unit 

440* input of the d e cryption unit 



| 3 Translators note: this do es not appear to b e long. 
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444 output of th e encryption unit 

444 output of th e d e cryption unit 

445 k e y input of th e e ncryption unit 

44-2 k e y input of th e d e cryption unit 

434 first p e rmutation k e y memory 

444 s e cond p e rmutation k e y m e mory 

443 s e lection r e gist e r 

1 4 1_n - 1... 1 4 10 selection stages 

443 s e l e ction switch 
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